Escape tag values - there is no reason at all to render things which
authorTom Hughes <tom@compton.nu>
Mon, 14 Sep 2009 23:17:02 +0000 (23:17 +0000)
committerTom Hughes <tom@compton.nu>
Mon, 14 Sep 2009 23:17:02 +0000 (23:17 +0000)
might look like HTML tags in a tag value.

app/views/browse/_tag.html.erb
app/views/changeset/list.atom.builder

index a9a122e6da6cbf9f49a6f6467323659f15e92535..5724b064611c396db2c38ccd6bef22b00155b9e5 100644 (file)
@@ -1,3 +1,3 @@
 <tr>
-  <td><%= h(tag[0]) %> = <%= sanitize(auto_link(tag[1])) %></td>
+  <td><%= h(tag[0]) %> = <%= auto_link(h(tag[1])) %></td>
 </tr> 
index 82309ee53164be7fd498af0fa6058a7993099a5f..7905ac77377031f9835807758b2c61565b626fd3 100644 (file)
@@ -68,7 +68,7 @@ atom_feed(:language => I18n.locale, :schema_date => 2009,
                 td.table :cellpadding => "0" do |table|
                   changeset.tags.sort.each do |tag|
                     table.tr do |tr|
-                      tr.td "#{h(tag[0])} = #{sanitize(tag[1])}"
+                      tr.td "#{h(tag[0])} = #{auto_link(h(tag[1]))}"
                     end
                   end
                 end